LinkedIn Improves User Security

NEWS ANALYSIS: The social networking platform takes proactive steps to provide more visibility into security, but is there more that can or should be done?

Last week, the technology world was buzzing about the celebrity picture hack that involved Apple's iCloud service. While Apple is now making attempts to improve user security, other online services have too.
LinkedIn, for one, has announced multiple steps it is taking to improve user security. For starters, LinkedIn will now provide users with full visibility into logged-in user session information to identify any potentially unauthorized access. Google has long provided a similar feature.
Going a step further, LinkedIn is taking specific precautions to help users identify any anomalous password activities.
"We've added a new set of information to the emails we send when there are security related changes to your account, such as a password change, so you can rest assured your account is secure," Madhu Gupta, head of security, privacy and customer service products at LinkedIn, wrote in a blog post. "The added information gives you more insight into when and where the account change took place, including the date and time and details on the device … the changes were made on such as the browser it was running, the Operating System (OS), IP address, and approximate physical location."

LinkedIn is no stranger to security incidents. Back in 2012, six million user passwords were stolen in a breach.

Lucas Zaichkowsky, enterprise defense architect at AccessData, told eWEEK that most of the new features that LinkedIn is adding for security purposes have become standard with social media services due to frequent account hacking activity.
"Being able to see which Web browsers and devices are perpetually logged in is very useful for identifying suspicious logins or forcing logout on devices that are no longer used," Zaichkowsky said. "Receiving a notice when your password is changed will make it immediately known if your account is completely taken over."
LinkedIn is also now enabling users to export all their own data with a single click. Zaichkowsky said that the data downloading feature is a move to address privacy concerns by allowing users to archive and maintain ownership of their content, while allowing them to see what LinkedIn knows about them.
While LinkedIn's renewed security efforts are noteworthy, it's also important to emphasize what it already offers its users. Marc Maiffret, CTO at BeyondTrust, told eWEEK that ultimately one of the best methods of protecting such types of accounts is two-factor authentication (2FA). With 2FA, a second password (or factor) that is randomly generated is required to gain access to an account.
"I wasn't even aware that LinkedIn supported it [2FA] until I just checked," Zaichkowsky said. "I'd encourage all Websites to not only support 2FA, but to also implement reminders for users to configure and enable it."
LinkedIn first added 2FA support to its site back in May 2013. Maiffret said that, in his view, social sites should start publishing the percentages of their users who have enabled 2FA and how that is trending. He added that 2FA is still a bit cumbersome for users to get set up and running on some services and so more work needs to be done to simplify the process.
"I think the standard in the future will be that these services all require 2FA by default, similar to how Google moved to SSL [Secure Sockets Layer] by default," he said. "But such a change to SSL is much easier to implement—no real end-user involvement—compared to 2FA, and so it will take some time to get there."
Sean Michael Kerner is a senior editor at eWEEK and InternetNews.com. Follow him on Twitter @TechJournalist.